[hn_throwaway_99]

> What is a company like mine meant to do here to counter this problem?

What is hard about mailing everyone a hardware key? I honestly don't see the problem. It's not like you need to track it or anything, people can even use their own hardware keys.

1. Mail everyone a hardware key, or tell them if they already have one of their own they can just use that.

2. Tell them to enroll at https://landing.google.com/advancedprotection/

> Google Workspace actually lacks a lot of granular security features, something I wish they did better.

Totally agree with that one. Last time I checked you couldn't enforce that all employees use Advanced Protection in a Google Workspace account. However, you can still get this info (enabled or disabled) as a column in the Workspace Admin console so you can report on people who don't have it enabled. I'm guessing there is also probably a way to alert if it is disabled.

[toast0]

I can't tell you how happy I am that I don't have to fight with Google Workspace administration anymore. When I was doing it, getting TOTP enforcement enabled was very problematic. You couldn't just set the org to be enforced, because new users wouldn't be able to login, and then you'd have to turn it off for the org any day new people started, then make sure that everybody was enrolled (including existing employees that turned it off while they could), etc.

They finally fixed it, but it took them a long time, and in the meantime, horrible workarounds.

They also had no way of merging two company's accounts; which is fine because m&a never happens, and google never aquires anyone using google workspace (i certainly would refuse to be aquired by them after using their software, but I'm extra grumpy)